hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-13 22:44:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
70,587 Commits 1,679 Branches 158 Tags
6777a34dfb231cab96ef2fb07f571e2ace7e7026
Commit Graph

1863 Commits

Author SHA1 Message Date
Taus
8c015b0784 Merge pull request #17305 from Kwstubbs/CORSMiddleware-Starlette 
Python: Add Support for CORS Middlewares
 2024-09-24 15:51:49 +02:00
Kevin Stubbings
01aa63e170 Add tests 2024-09-23 16:47:10 -07:00
Porcupiney Hairs
f86570f6e7 WIP: Python: CORS Bypass 
This PR adds a query to detect a Cross Origin Resource Sharing(CORS) policy bypass due to an incorrect check.

This PR attempts to detect the vulnerability pattern found in CVE-2022-3457

```python
if request.method in ['POST', 'PUT', 'PATCH', 'DELETE']:
    origin = request.headers.get('Origin', None)
    if origin and not origin.startswith(request.base):
        raise cherrypy.HTTPError(403, 'Unexpected Origin header')
```

In this case, a value obtained from a header is compared using `startswith` call. This comparision is easily bypassed resulting in a CORS bypass. Given that similar bugs have been found in other languages as well, I think this PR would be a great addition to the exisitng python query pack.

The databases for CVE-2022-3457 can be downloaded from
```
https://filetransfer.io/data-package/i4Mfepls#link
https://file.io/V67T4SSgmExF
```
 2024-09-03 03:11:35 +05:30
Joe Farebrother
62c2fe6b17 Merge pull request #16933 from joefarebrother/python-cookie-concept-promote 
Python: Promote the insecure cookie query from experimental
 2024-08-07 09:06:05 +01:00
Anders Schack-Mulligen
377301a55a Merge pull request #17108 from aschackmull/dataflow/flowthrough-provenance 
Dataflow: Propagate provenance correctly for flow-through wrappers.
 2024-08-01 09:35:56 +02:00
yoff
251036c6b4 Merge pull request #17080 from sylwia-budzynska/streamlit 
Python: Add Streamlit models
 2024-07-31 18:20:11 +02:00
Anders Schack-Mulligen
9724516c84 C#/Go/Java/Python/Ruby: Accept qltest .expected changes. 2024-07-31 14:45:10 +02:00
Sylwia Budzynska
9741ddb926 Add remoteflowsoucre test 2024-07-30 17:20:14 +02:00
Joe Farebrother
68512eea14 Remove remaining files from experimental tests 2024-07-29 11:19:33 +01:00
Joe Farebrother
1127b08635 Merge branch 'main' into python-cookie-concept-promote 2024-07-29 10:26:03 +01:00
Joe Farebrother
b28d79960b Update ConceptsTests and make a fix 2024-07-23 10:15:09 +01:00
Joe Farebrother
a73d675e6e Remove experimental query versions 2024-07-23 10:14:55 +01:00
Joe Farebrother
32fbe52f0f Model cookie attributes for Django and Flask 2024-07-23 10:14:33 +01:00
Joe Farebrother
070d67816d Remove experimental version 2024-07-16 16:50:10 +01:00
Rasmus Wriedt Larsen
f41d2a896c Merge pull request #16771 from porcupineyhairs/js2py 
Python : Arbitrary code execution due to Js2Py
 2024-07-11 15:31:57 +02:00
Rasmus Wriedt Larsen
5ecde387af Python: Fix .expected 2024-07-11 14:42:26 +02:00
Porcupiney Hairs
808af28618 Python : Arbitrary codde execution due to Js2Py 
Js2Py is a Javascript to Python translation library written in Python. It allows users to invoke JavaScript code directly from Python.
The Js2Py interpreter by default exposes the entire standard library to it's users. This can lead to security issues if a malicious input were directly.

This PR includes a CodeQL query along with a qhelp and testcases to detect cases where an untrusted input flows to an Js2Py eval call.

This query successfully detects CVE-2023-0297 in `pyload/pyload`along with it's fix.
The databases can be downloaded from the links bellow.
```
https://file.io/qrMEjSJJoTq1
https://filetransfer.io/data-package/a02eab7V#link
```
 2024-07-03 19:06:34 +05:30
Joe Farebrother
b81d41ba7b Add django header write models for direct subscript write 2024-07-01 11:26:54 +01:00
Joe Farebrother
6b8080a5b3 Update concept tests for header writes 2024-06-24 17:27:02 +01:00
am0o0
8a7fdfa6fe fix conflict 2024-06-18 17:18:59 +02:00
am0o0
b9edcb7943 rename secondary to remote :), complete the previous commit changes 2024-05-29 16:47:37 +02:00
Anders Schack-Mulligen
987d5712b8 Python: Accept qltest .expected file changes. 2024-05-22 15:43:49 +02:00
Rasmus Lerchedahl Petersen
a568873a8e Python: update test expectations 2024-05-17 10:59:49 +02:00
am0o0
37d33186e5 revert classRef deletion, fix secondaryserverCmdInjection expected test results 2024-05-13 15:02:04 +02:00
am0o0
90da07159e fix tests, chore on Find.ql 2024-05-10 08:51:23 +02:00
Joe Farebrother
ab23d0ad23 Merge branch 'main' into python-promote-header-injection 2024-05-08 13:49:00 +01:00
am0o0
8b93e815b9 minor test cases change: remove unused dict 2024-05-06 14:36:10 +02:00
amammad
c4a38d0a2f add twisted SSH client as secondary server command injection sinks, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
0a765cc94a add jsonpickle and pexpect libs in case of unsafe decoding and secondary command execution, add proper test cases 2024-05-06 14:36:10 +02:00
amammad
7e93102097 finalize Secondary server command injection queries and tests. 2024-05-06 14:36:10 +02:00
amammad
4df73f9975 continue to convert paramiko query to a more general query, 
the proxy command is not a secondary command execution
so we can add proxy command to SystemCommandExecution::Range, update QLDocs,
add a proper Paramiko test case
fix a typo
 2024-05-06 14:36:10 +02:00
amammad
5fea71e5d6 convert paramiko query to SecondaryServerCmdInjection query, Add inline tests 2024-05-06 14:36:10 +02:00
Joe Farebrother
8fb2faa89b Add additional info to concept tests 2024-04-24 14:05:41 +01:00
Joe Farebrother
2b935e575a Add concept tests + fix typo 2024-04-24 14:05:41 +01:00
Joe Farebrother
cf8db4e425 Update instances of experimental concept to the main one, and anotate missing experimental test results. 2024-04-24 14:05:39 +01:00
Joe Farebrother
b9984beb16 Add test cases 2024-04-24 14:05:37 +01:00
Rasmus Wriedt Larsen
bb00d6919a Python: Move dataflow TestUtil to importable location 2024-04-23 09:40:59 +02:00
Rasmus Wriedt Larsen
ce711f7d2f Python: Move dataflow tests out of experimental 2024-04-23 09:40:44 +02:00
Taus
58eaddf627 Python: Update all .expected files 
I'm beginning to realise why I didn't do the `toString` overriding way
back when. Thankfully, now that all of our tests are in the same place,
this is actually not a terrible ordeal.
 2024-04-22 12:00:09 +00:00
Taus
1c68c987b0 Python: Change all remaining occurrences of StrConst 
Done using
```
git grep StrConst | xargs sed -i 's/StrConst/StringLiteral/g'
```
 2024-04-22 12:00:09 +00:00
Anders Schack-Mulligen
cbcdf1f8b5 Python: Update expected output (interesting). 2024-04-12 09:20:33 +02:00
Anders Schack-Mulligen
bfcfedab8c Python: Update expected output (uninteresting). 2024-04-12 09:20:30 +02:00
yoff
1048cf7c5e Merge pull request #15711 from RasmusWL/tt-content 
Python: Add type tracking for content
 2024-04-09 10:37:43 +02:00
yoff
c520cb6d58 Merge branch 'main' into python/test-MaD-keyword-argument 2024-03-22 10:56:08 +01:00
Rasmus Lerchedahl Petersen
eef60c9ad2 python: add test for "ReturnValue.TupleElement[0,1]" 
also synchronise files
 2024-03-22 10:54:12 +01:00
yoff
ee411cc53a Merge pull request #15936 from yoff/python/test-conflicting-summaries 
Python: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-03-19 16:56:56 +01:00
yoff
f025430431 Merge pull request #15319 from Sim4n6/main 
[Python] Add Unicode DoS (qhelp, tests and the query)
 2024-03-19 10:00:30 +01:00
Tom Hvitved
e53357d376 Update expected test output 2024-03-18 14:49:32 +01:00
Sim4n6
1af8167354 updated the .expected file 2024-03-18 13:26:20 +00:00
Tom Hvitved
a13391bda1 Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths 
Variable capture: Avoid overlapping and false-positive data flow paths
 2024-03-18 10:45:55 +01:00